From c90bbbb40be7e919e4a336d4e80e9f8a6bd58b9c Mon Sep 17 00:00:00 2001 From: Ryan Lewis Date: Mon, 31 Oct 2022 22:04:33 +0000 Subject: [PATCH 1/2] Bumped Jackson to 2.12.7.1 Fixes CVE-2022-42003 --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 5483dc4bc4..41d9bcb99e 100644 --- a/gradle.properties +++ b/gradle.properties @@ -10,7 +10,7 @@ jsoup_version=1.14.3 idea_version=213.6777.52 language_version=1.4 # jackson 2.13.X does not support kotlin language version 1.4, check before updating -jackson_version=2.12.7 +jackson_version=2.12.7.1 freemarker_version=2.3.31 # Code style kotlin.code.style=official From 7487c82749934a04f585d8c14f33250b3d41c1bc Mon Sep 17 00:00:00 2001 From: Ryan Lewis Date: Mon, 7 Nov 2022 12:24:41 +0000 Subject: [PATCH 2/2] Introduced jackson-databind constraint --- core/build.gradle.kts | 6 ++++++ gradle.properties | 4 +++- plugins/all-modules-page/build.gradle.kts | 6 ++++++ plugins/base/build.gradle.kts | 6 ++++++ plugins/gfm/build.gradle.kts | 6 ++++++ plugins/templating/build.gradle.kts | 6 ++++++ plugins/versioning/build.gradle.kts | 6 ++++++ 7 files changed, 39 insertions(+), 1 deletion(-) diff --git a/core/build.gradle.kts b/core/build.gradle.kts index 97b8997649..41db29d3d1 100644 --- a/core/build.gradle.kts +++ b/core/build.gradle.kts @@ -15,6 +15,12 @@ dependencies { val jackson_version: String by project implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-xml:$jackson_version") + val jackson_databind_version: String by project + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") { + because("CVE-2022-42003") + } + } val coroutines_version: String by project implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version") diff --git a/gradle.properties b/gradle.properties index 41d9bcb99e..cd86cf4085 100644 --- a/gradle.properties +++ b/gradle.properties @@ -10,7 +10,9 @@ jsoup_version=1.14.3 idea_version=213.6777.52 language_version=1.4 # jackson 2.13.X does not support kotlin language version 1.4, check before updating -jackson_version=2.12.7.1 +jackson_version=2.12.7 +# fixes CVE-2022-42003 +jackson_databind_version=2.12.7.1 freemarker_version=2.3.31 # Code style kotlin.code.style=official diff --git a/plugins/all-modules-page/build.gradle.kts b/plugins/all-modules-page/build.gradle.kts index f993d45c18..a690e07775 100644 --- a/plugins/all-modules-page/build.gradle.kts +++ b/plugins/all-modules-page/build.gradle.kts @@ -18,6 +18,12 @@ dependencies { implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version") val jackson_version: String by project implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") + val jackson_databind_version: String by project + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") { + because("CVE-2022-42003") + } + } val kotlinx_html_version: String by project implementation("org.jetbrains.kotlinx:kotlinx-html-jvm:$kotlinx_html_version") diff --git a/plugins/base/build.gradle.kts b/plugins/base/build.gradle.kts index 91684ece7a..93348ed792 100644 --- a/plugins/base/build.gradle.kts +++ b/plugins/base/build.gradle.kts @@ -11,6 +11,12 @@ dependencies { val jackson_version: String by project implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") + val jackson_databind_version: String by project + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") { + because("CVE-2022-42003") + } + } val freemarker_version: String by project implementation("org.freemarker:freemarker:$freemarker_version") diff --git a/plugins/gfm/build.gradle.kts b/plugins/gfm/build.gradle.kts index 8b1be11df6..ee486dfdca 100644 --- a/plugins/gfm/build.gradle.kts +++ b/plugins/gfm/build.gradle.kts @@ -6,6 +6,12 @@ dependencies { testImplementation(project(":plugins:base:base-test-utils")) val jackson_version: String by project implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") + val jackson_databind_version: String by project + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") { + because("CVE-2022-42003") + } + } } registerDokkaArtifactPublication("gfmPlugin") { diff --git a/plugins/templating/build.gradle.kts b/plugins/templating/build.gradle.kts index d6d602ddf6..ee1067efa4 100644 --- a/plugins/templating/build.gradle.kts +++ b/plugins/templating/build.gradle.kts @@ -11,6 +11,12 @@ dependencies { implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version") val jackson_version: String by project implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") + val jackson_databind_version: String by project + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") { + because("CVE-2022-42003") + } + } val kotlinx_html_version: String by project implementation("org.jetbrains.kotlinx:kotlinx-html-jvm:$kotlinx_html_version") diff --git a/plugins/versioning/build.gradle.kts b/plugins/versioning/build.gradle.kts index f838399bd3..7d585a449d 100644 --- a/plugins/versioning/build.gradle.kts +++ b/plugins/versioning/build.gradle.kts @@ -12,6 +12,12 @@ dependencies { implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version") val jackson_version: String by project implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jackson_version") + val jackson_databind_version: String by project + constraints { + implementation("com.fasterxml.jackson.core:jackson-databind:$jackson_databind_version") { + because("CVE-2022-42003") + } + } val kotlinx_html_version: String by project implementation("org.jetbrains.kotlinx:kotlinx-html-jvm:$kotlinx_html_version")